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DETAILED ACTION 



Response to Amendment 

1 . This action is in response to the communication dated August 7, 2006 with the 
amendments to claims 1, 10, 12-14, 17-18, 24, 27, 32, 42, 50, 57 and 62 and the 
cancellation of claims 8-9, 11, 20, 26, 28, 30, 34, 36, 47-48 and 51. 

2. Claims 1-7, 10, 12-19, 21-25, 27, 29, 31-33, 35, 37-46, 49-50 and 52-69 are 
pending. 

Response to Arguments 

3. Applicant's arguments filed August 7, 2006 have been fully considered but they 
are not persuasive. Applicant argues Copeland does not teach grouping the plurality of 
TCP packets into packet flows and sessions; storing the packet flows in packet flow 
descriptors and searching for a network attack identifier in the TCP stream based on the 
packet flow descriptors and sessions associated with the TCP stream. Examiner 
respectfully disagrees, Fig. 1, elements F1-F4 and paragraphs 0039, 0050 of Copeland 
clearly identify grouping the plurality of TCP packets into packet flows (paragraphs 
0086-0096) and sessions (paragraphs 0071-0085); further Copeland discloses storing 
the packet flows in packet flow descriptors (paragraph 0050) and searching for a 
network attack identifier in the TCP stream based on the packet flow descriptors and 
sessions associated with the TCP stream (paragraphs 0051, 005, 0081-0083, 0172). 



Application/Control Number: 10/072,683 Page 3 

Art Unit: 2137 

As to claims 22 and 39, Nikander discloses searching specifications as a set of rules for 
efficiently evaluating them against data samples has been a standard technique in 
databases, pattern matching, data processing and artificial intelligence. Nikander does 
not specifically disclose using deterministic finite automata (DFA) for pattern matching. 
DFA process is well-known in solving pattern matching problem and per applicant's 
request, examiner respectfully submit two documents (i.e. "Improving an Algorithm for 
Approximate Pattern Matching", 1998 and "A Partial Deterministic Automaton for 
Approximate String Matching", 1997) to support DFA technique in providing pattern 
matching solution. 

Claim Rejections - 35 USC § 101 

4. 35 U.S.C. 101 reads as follows: 

Whoever invents or discovers any new and useful process, machine, manufacture, or composition of 
matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the 
conditions and requirements of this title. 

5. Claims 24, 27, 39, 42 and 57 are rejected under 35 U.S.C. 101 because the 
claimed invention is directed to non-statutory subject matter. These claims lack the 
necessary physical articles or objects to constitute a machine or a manufacture within 
the meaning of 35 USC 101. They are a series of software modules and they are clearly 
not a series of steps or acts to be a process nor are they a combination of chemical 
compounds to be a composition of matter. As such, they fail to fall within a statutory 
category. They are, at best, functional descriptive material, per se. 



Claim Rejections - 35 USC § 103 
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6. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

7. Claims 1-7, 10, 12-18, 21-25, 27, 31-33, 35, 37-41, 43-45, 49-50, 52-56, 58, and 
60-69 are rejected under 35 U.S.C. 103(a) as being unpatentable over Gleichauf et al. 
(6,499,107) and Gleichauf et al. (6,324,656) in view of Nikander et al. (6,253,321) and 
further in view of Copeland, III (2003/0105976). 

a) As to claims 1 and 24, Gleichauf discloses a method ahd system for 
adaptive network security using intelligent packet analysis comprising reassembling a 
plurality of TCP packets in the network traffic into a TCP stream, Gleichauf implicitly 
discloses this limitation (i.e. TCP stream reassembly) (col. 6, lines 39-40), to make it 
even clearer, the examiner takes official notice that use of reassembling TCP packets 
into a TCP stream is quite well known in data communications network. Data traveling 
over an IP network is always broken up into packets, the IP protocol adds information to 
each packet so that the routers along the network know where the data came and 
where it is going, the packets may be received out of order, or not, and are reassembled 
in the proper order at the destination computer; inspecting the TCP stream to detect 
information indicative of a security breach (col. 3, lines 1-4), wherein inspecting the TCP 
stream to detect information indicative of a security breach (col. 2, lines 50-55) 
comprises storing a plurality of protocol specifications supported by the network in a 
protocol database; and querying the protocol database to determine whether the 
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plurality of TCP packets are compliant with one or more of the plurality of protocol 
specifications in the protocol database (col. 6, lines 31-33; col. 8, lines 20-35). 

Gleichauf (6,324,656) also discloses inspecting the TCP stream to detect 
information indicative of a security breach comprises storing a plurality of protocol 
specifications supported by the network in a protocol database; and querying the 
protocol database to determine whether the plurality of TCP packets are compliant with 
one or more of the plurality of protocol specifications in the protocol database (Fig. 3B; 
col. 6 f lines 32 - col. 7, line 5). 

Gleichauf does not explicitly disclose dropping a TCP packet from the TCP 
stream if the TCP stream contains information indicative of security breaches and 
forwarding a TCP packet to a network destination if the TCP stream does not contain 
information indicative of security breaches. 

Nikander is relied on for the teaching of dropping a TCP packet from the TCP 
stream if the TCP stream contains information indicative of security breaches and 
forwarding a TCP packet to a network destination if the TCP stream does not contain 
information indicative of security breaches (col. 4, lines 41-45). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to employ the use of dropping a TCP packet from the TCP stream if the TCP 
stream contains information indicative of security breaches and forwarding a TCP 
packet to a network destination if the TCP stream does not contain information 
indicative of security breaches in the system of Gleichauf, as Nikander teaches so as to 
effectively manage communications data. 
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Gleichauf (6,499,107 and 6,324,656) and Nikander do not specifically disclose 
grouping the plurality of TCP packets into packet flows and sessions; storing the packet 
flows in packet flow descriptors and searching for a network attack identifier in the TCP 
stream based on the packet flow descriptors and sessions associated with the TCP 
stream. Copeland is relied on for the teaching of grouping the plurality of TCP packets 
into packet flows and sessions (paragraphs 0039; 0050); storing the packet flows in 
packet flow descriptors (paragraph 0050) and searching for a network attack identifier in 
the TCP stream based on the packet flow descriptors and sessions associated with the 
TCP stream (paragraphs 0051, 005, 0081-0083, 0172). It would have been obvious to 
one of ordinary skill in the art at the time of the invention to employ the use of grouping 
the plurality of TCP packets into packet flows and sessions in the system of Gleichauf 
and Nikander, as Copeland teaches so as to effectively determine if the traffic data 
appears to be legitimate or possible suspicious activity. 

b) As to claims 2, 12 and 15, Gleichauf discloses inspecting the TCP stream 
to detect information indicative of security breaches comprising inspecting the TCP 
stream for protocol irregularities (col. 6, lines 36-42). 

c) As to claims 3, 1 3, and 1 6-1 7, Gleichauf discloses inspecting the TCP to 
detect information indicative of a security breach comprising searching the TCP stream 
for attack signatures (col. 1, lines 29-31). 

d) As to claims 4, 31 , 35, 50, 54, 66 and 69, Gleichauf discloses searching 
the TCP stream for attack signatures comprises using stateful signature detection (col. 
6, lines 45-52). 
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e) As to claims 5, 14, 33, 52 and 67, Gleichauf discloses inspecting the TCP 
stream to detect information indicative of a security breach using a plurality of network 
intrusion detection methods (col. 6, lines 66-67). 

f) As to claims 6, 49, 53, 65 and 68, Gleichauf discloses the plurality of 
network intrusion detection methods comprises at least protocol anomaly detection 
(col. 6, lines 36-42). 

g) As to claim 7, Gleichauf discloses the plurality of network intrusion 
detection methods comprises at least signature detection (col. 6, lines 43-45). 

h) As to claim 10, Copeland discloses searching the packet flow descriptors 
for traffic signatures and inspecting the TCP stream comprises searching for a network 
attack identifier in the TCP stream based on the packet flow descriptors and sessions 
associated with the TCP stream (page 6, paragraph [0070]). 

i) As to claims 18 and 27, Gleichauf discloses a method and system for 
adaptive network security using intelligent packet analysis comprising reassembling a 
plurality of TCP packets in the network traffic into a TCP stream, Gleichauf implicitly 
discloses this limitation (i.e. TCP stream reassembly) (col. 6, lines 39-40), to make it 
even clearer, the examiner takes official notice that use of reassembling TCP packets 
into a TCP stream is quite well known in data communications network. Data traveling 
over an IP network is always broken up into packets, the IP protocol adds information to 
each packet so that the routers along the network know where the data came and 
where it is going, the packets may be received out of order, or not, and are reassembled 



Application/Control Number: 10/072,683 Page 8 

Art Unit: 2137 

in the proper order at the destination computer; inspecting the TCP stream to detect 
information indicative of a security breach (col. 3, lines 1-4). 

Gleichauf does not explicitly disclose dropping a TCP packet from the TCP 
stream if the TCP stream contains information indicative of security breaches and 
forwarding a TCP packet to a network destination if the TCP stream does not contain 
information indicative of security breaches. 

Nikander is relied on for the teaching of dropping a TCP packet from the TCP 
stream if the TCP stream contains information indicative of security breaches and 
forwarding a TCP packet to a network destination if the TCP stream does not contain 
information indicative of security breaches (col. 4, lines 41-45). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to employ the use of dropping a TCP packet from the TCP stream if the TCP 
stream contains information indicative of security breaches and forwarding a TCP 
packet to a network destination if the TCP stream does not contain information 
indicative of security breaches in the system of Gleichauf, as Nikander teaches so as to 
effectively manage communications data. 

Gleichauf and Nikander do not expressly disclose grouping the plurality of TCP 
packets into packet flows and sessions, wherein grouping the plurality of TCP packets 
into packet flows and sessions comprises storing the packet flows and sessions in a 
hash table. 

Copeland discloses a flow-based intrusion detection system for detecting 
intrusions in computer communication networks comprising grouping the plurality of 
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TCP packets into packet flows and sessions (Fig. 1 , elements "FLOW F1-FLOW F4"; 
page 5, paragraph [0058]; Fig. 3), wherein grouping the plurality of TCP packets into 
packet flows and sessions comprises storing the packet flows and sessions in a hash 
table (page 9, paragraph [0107]), wherein inspecting the TCP stream to detect 
information indicative of a security breach comprises storing the packet flows in packet 
flow descriptors (paragraph 0050) and searching for a network attack identifier in the 
TCP stream based on the packet flow descriptors and sessions associated with the 
TCP stream (paragraphs 0051, 005, 0081-0083, 0172). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to employ the use of grouping the plurality of TCP packets into packet flows 
and sessions, wherein grouping the plurality of TCP packets into packet flows and 
sessions comprises storing the packet flows and sessions in a hash table, wherein 
inspecting the TCP stream to detect information indicative of a security breach 
comprises storing the packet flows in packet flow descriptors and searching for a 
network attack identifier in the TCP stream based on the packet flow descriptors and 
sessions associated with the TCP stream in the system of Gleichauf and Nikander, as 
Copeland teaches so as to effectively determine if the traffic data appears to be 
legitimate or possible suspicious activity. 

j) As to claims 21 and 38, Gleichauf discloses searching the TCP stream for 
attack signatures comprises querying the signatures database to determine whether 
there are matching signatures in the TCP stream (col. 6, lines 45-52; col. 5, lines 36- 
42). 
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k) As to claims 22 and 39, Gleichauf discloses a method and system for 
adaptive network security using intelligent packet analysis comprising reassembling a 
plurality of TCP packets in the network traffic into a TCP stream, Gleichauf implicitly 
discloses this limitation (i.e. TCP stream reassembly) (col. 6, lines 39-40), to make it 
even clearer, the examiner takes official notice that use of reassembling TCP packets 
into a TCP stream is quite well known in data communications network. Data traveling 
over an IP network is always broken up into packets, the IP protocol adds information to 
each packet so that the routers along the network know where the data came and 
where it is going, the packets may be received out of order, or not, and are reassembled 
in the proper order at the destination computer; inspecting the TCP stream to detect 
information indicative of a security breach (col. 3, lines 1-4), querying a signatures 
database to determine whether there are matching signatures in the TCP stream (col. 6, 
lines 45-52; col. 5, lines 36-42). 

Gleichauf does not explicitly disclose dropping a TCP packet from the TCP 
stream if the TCP stream contains information indicative of security breaches and 
forwarding a TCP packet to a network destination if the TCP stream does not contain 
information indicative of security breaches. 

Nikander is relied on for the teaching of dropping a TCP packet from the TCP 
stream if the TCP stream contains information indicative of security breaches and 
forwarding a TCP packet to a network destination if the TCP stream does not contain 
information indicative of security breaches (col. 4, lines 41-45). 
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It would have been obvious to one of ordinary skill in the art at the time of the 
invention to employ the use of dropping a TCP packet from the TCP stream if the TCP 
stream contains information indicative of security breaches and forwarding a TCP 
packet to a network destination if the TCP stream does not contain information 
indicative of security breaches in the system of Gleichauf, as Nikander teaches so as to 
effectively manage communications data. 

Gleichauf and Nikander do not expressly disclose using deterministic finite 
automata for pattern matching when querying a signatures database to determine 
whether there are matching signatures in the TCP stream. 

The examiner takes official notice that use of deterministic finite automaton for 
providing a pattern matching is well known in the theory of computation. 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to employ the use of deterministic finite automaton for providing a pattern 
matching is well known in the theory of computation in the system of Gleichauf and 
Nikander so as to effectively implementing pattern matching. 

I) As to claims 23, 25, 45 and 58, Gleichauf discloses reconstructing the 
plurality of TCP packets from a plurality of packet fragments (col. 6, lines 39-40). 

m) As to claim 32, Copeland discloses a traffic signature detection software 
module for searching the packet flow descriptors for traffic signatures (page 4, 
paragraphs [0047-0051]). 

n) As to claim 37, Gleichauf (6,324,656) discloses the protocol specifications 
comprise specifications of one or more of TCP protocol, HTTP protocol, SMTP protocol, 
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FTP protocol, NETBIOS protocol, IMAP protocol, POP3 protocol, TELNET protocol, IRC 
protocol, RSH protocol, REXEC protocol, and RCMD protocol (Fig. 3B). 

o) As to claims 40, 55, 60 and 63-64, Gleichauf discloses a routine for 
collecting a plurality of security logs and alarms recording information about security 
breaches found in the TCP stream (col. 7, lines 1-5); a routine for storing a network 
security policy identifying the network traffic to inspect and a plurality of network attacks 
to be detected and prevented (col. 5, lines 33-42); a routine for distributing the network 
security policy to one or more gateway points in the network (Fig. 2, element 20) and a 
routine for updating the protocol database and the signatures database (col. 9, lines 7- 
13). 

p) As to claims 41 , 56, and 61-62, Copeland discloses the system further 
comprising a graphical user interface comprising a routine for displaying network 
security information to network security administrators; and a routine for specifying a 
network security policy (page 11, paragraph [0182]). 

q) As to claim 43, Gleichauf discloses the network intrusion detection and 
prevention sensor is placed inside a firewall (col. 4, lines 47-49). 

r) As to claim 44, Gleichauf discloses the network intrusion detection and 
prevention sensor is placed outside a firewall (col. 5, lines 24-27). 

8. Claims -19 and 29 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Gleichauf et al. (6,499,107) and Gleichauf et al. (6,324,656) in view of Nikander et 
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al. (6,253,321) in view of Copeland, III (2003/0105976) and further in view of Alexander 
et al. (2004/0258073). 

Gleichauf, Nikander and Copeland do not expressly disclose computing a hash 
value from a 5-tuple comprising a source IP address, a destination IP address, a source 
port, a destination port and a protocol type. 

Alexander discloses computing a hash value from a 5-tuple comprising a source 
IP address, a destination IP address, a source port, a destination port and a protocol 
type (page 3, paragraph [0027]). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to employ the use of computing a hash value from a 5-tuple comprising a 
source IP address, a destination IP address, a source port, a destination port and a 
protocol type in the system of Gleichauf, Nikander and Copeland as Alexander teaches 
so as to effectively performing packet filtering. 

9. Claims 42, 46, 57 and 59 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Gleichauf et al. (6,499,107) in view of Nikander et al. (6,253,321) and 
further in view of Trcka et al. (6,453,345). 

a) As to claims 42 and 57, Gleichauf discloses a method and system for 
adaptive network security using intelligent packet analysis comprising reassembling a 
plurality of TCP packets in the network traffic into a TCP stream, Gleichauf implicitly 
discloses this limitation (i.e. TCP stream reassembly) on col. 6, lines 39-40, to make it 
even clearer, the examiner takes official notice that use of reassembling TCP packets 
into a TCP stream is quite well known in data communications network. Data traveling 
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over an IP network is always broken up into packets, the IP protocol adds information to 
each packet so that the routers along the network know where the data came and 
where it is going, the packets may be received out of order, or not, and are reassembled 
in the proper order at the destination computer; inspecting the TCP stream to detect 
information indicative of security breaches (col. 3, lines 1-4), wherein inspecting the 
TCP stream to detect information indicative of a security breach (col. 2, lines 50-55) 
comprises storing a plurality of protocol specifications supported by the network in a 
protocol database; and querying the protocol database to determine whether the 
plurality of TCP packets are compliant with one or more of the plurality of protocol 
specifications in the protocol database (col. 6, lines 31-33; col. 8, lines 20-35). 

Gleichauf (6,324,656) also discloses inspecting the TCP stream to detect 
information indicative of a security breach comprises storing a plurality of protocol 
specifications supported by the network in a protocol database; and querying the 
protocol database to determine whether the plurality of TCP packets are compliant with 
one or more of the plurality of protocol specifications in the protocol database (Fig. 3B; 
col. 6, lines 32 - col. 7, line 5). 

Gleichauf does not disclose dropping a TCP packet from the TCP stream if the 
TCP stream contains information indicative of a security breach and forwarding a TCP 
packet to a network destination if the TCP stream does not contain information 
indicative of a security breach. 

Nikander discloses dropping a TCP packet from the TCP stream if the TCP 
stream contains information indicative of a security breach and forwarding a TCP packet 
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to a network destination if the TCP stream does not contain information indicative of a 
security breach (col. 4, lines 41-45). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to employ the use of dropping a TCP packet from the TCP stream if the TCP 
stream contains information indicative of a security breach and forwarding a TCP packet 
to a network destination if the TCP stream does not contain information indicative of a 
security breach in the system of Gleichauf, as Nikander teaches so as to effectively 
manage communications data. 

Gleichauf and Nikander do not disclose a central management server and a 
graphical user interface. 

Trcka discloses a network security and surveillance system comprising a central 
management center (col. 15, lines 13-21; Fig. 8, element 64) to control the network 
intrusion detection and prevention sensor and a graphical user interface for configuring 
the network intrusion detection and prevention sensor (col. 13, lines 50-65). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to employ to use of having a central management server to control the 
network intrusion detection and prevention sensor and a graphical user interface for 
configuring the network intrusion detection and prevention sensor (col. 13, lines 50-65) 
in the system of Gleichauf and Nikander as Trcka teaches so as to detect and protect 
against security breaches, network failures and other types of data compromising 
events (col. 1, lines 10-15). 



Application/Control Number: 10/072,683 Page 16 

Art Unit: 2137 

Gleichauf, Nikander and Trcka do not specifically disclose grouping the plurality 
of TCP packets into packet flows and sessions; storing the packet flows in packet flow 
descriptors and searching for a network attack identifier in the TCP stream based on the 
packet flow descriptors and sessions associated with the TCP stream. Copeland is 
relied on for the teaching of grouping the plurality of TCP packets into packet flows and 
sessions (paragraphs 0039; 0050); storing the packet flows in packet flow descriptors 
(paragraph 0050) and searching for a network attack identifier in the TCP stream based 
on the packet flow descriptors and sessions associated with the TCP stream 
(paragraphs 0051, 005, 0081-0083, 0172). It would have been obvious to one of 
ordinary skill in the art at the time of the invention to employ the use of grouping the 
plurality of TCP packets into packet flows and sessions, wherein grouping the plurality 
of TCP packets into packet flows and sessions comprises storing the packet flows and 
sessions in a hash table in the system of Gleichauf, Nikander and Trcka, as Copeland 
teaches so as to effectively determine if the traffic data appears to be legitimate or 
possible suspicious activity. 

b) As to claims 46 and 59, Nikander discloses dropping a TCP packet from 
the TCP stream if the TCP stream contains information indicative of security breaches 
and forwarding a TCP packet to a network destination if the TCP stream does not 
contain information indicative of a security breach (col. 4, lines 41-45). 



Conclusion 
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Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Minh Dieu Nguyen whose telephone number is 571-272- 
3873. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Emmanuel Moise can be reached on 571-272-3865. The fax phone number 
for the organization where this application or proceeding is assigned is (571) 273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for published 
applications may be obtained from either Private PAIR or Public PAIR. Status 
information for unpublished applications is available through Private PAIR only. For 
more information about the PAIR system, see http://pair-direct.uspto.gov . Should you 
have questions on access to the Private PAIR system, contact the Electronic Business 
Center (EBC) at 866-21 7-91 97 (toll-free). 
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